Weekly Cyber Risk Roundup: Russian Hacking and New Extortion Campaigns

This week’s top trending cybercrime story is a hack that wasn’t: Vermont’s Burlington Electric Department. A December 30 Washington Post story falsely claimed that Russian threat actors had penetrated the U.S. power grid via the Vermont utility. That story has since been widely debunked, as the alleged international hacking incident was set off by a department employee simply checking his Yahoo email account. The employee’s actions triggered an alert, as it matched an IP address tied to indicators of compromise released by the Department of Homeland Security related to the alleged Russian hacking around the U.S. presidential election.

2017-01-06_ITT.png“We uploaded the indicators to our scanning system to look for the types of things specified,” Burlington Electric Department general manager Neil Lunderville told Fortune. “Then sometime on Friday morning, when one of our employees went to check email at Yahoo.com, our scanning system intercepted communications from that computer and an IP address listed in the indicators of compromise. When warned of that, we immediately isolated the computer, pulled it off the network, and alerted federal authorities.”

The incident involved a single computer not even connected to the grid control systems, he added.

The false story comes on the heels of a report issued by DHS and the FBI on Grizzly Steppe, the U.S. code name for the malicious cyber activity carried out by the Russian civilian and military intelligence services. That interference led President Barack Obama to sanction four Russian individuals and five Russian entities, as well as to order 35 Russian diplomats to leave the country and close two Russian compounds.

Intelligence officials testified before Congress on Thursday, and Director of National Intelligence James Clapper said that Russia’s role included hacking and the ongoing dissemination of “fake news.” Thursday also saw the resignation of former CIA director James Woolsey from Donald Trump’s transition team over what the Chicago Tribune described as “growing tensions over Trump’s vision for intelligence agencies.”


Other trending cybercrime events from the week include:

  • Bugs and mistakes expose sensitive data: A bug in Nevada’s website portal exposed the personal data of more than 11,700 medical marijuana dispensary applications. Data related to healthcare professionals deployed within the U.S. Military’s Special Operations Command (SOCOM) was publicly exposed due to an unprotected remote synchronization service tied to Potomac Healthcare Solutions, which provides healthcare workers to the U.S. government through Booz Allen Hamilton. More than 10,000 invites to collaborate on Box.com accounts or documents were indexed and discoverable on search engines, including some documents containing sensitive financial and proprietary company information. PakWheels, an automotive classified site in Pakistan, announced a data breach due to a vulnerability in outdated vBulletin forum software.
  • Payment card breaches: British multinational hotel company InterContinental Hotels Group (IHG) is investigating a possible payment card breach after being notified of fraud patterns observed on credit and debit cards used at some IHG properties in the U.S., particularly Holiday Inn and Holiday Inn Express hotels. Topps announced a data breach affecting payment card and other data entered by customers when placing orders via its website. The incident was discovered in October and affects orders made through the Topps website between approximately July 30, 2016, and October 12, 2016.
  • Defacements and downtime: The Google Brazil domain was unavailable for 30 minutes on Tuesday afternoon due to a DNS attack that directed visitors to a defacement page. The official website of the Philippine military was defaced on December 30 by a hacker with the online handle “Shin0bi H4x0r.”
  • Ransomware updates: A ransomware infection at Los Angeles Valley College blocked access to emails, voicemail and computer systems as the computers of as many as 1,800 full-time faculty and staff could be infected. Ransomware actors are calling education establishments and claiming to be from the Department of Education, Department for Work and Pensions, and telecoms providers in order to obtain the contact information of the head teacher or financial administrator to attempt a ransomware infection.
  • Other breach announcements: Northside Independent School District is notifying 23,000 current and former students and employees that their information may have compromised after an investigation of an August 2016 compromise of employee email accounts turned out to be a more widespread breach. The founder of KeepKey said his company email and phone were temporarily compromised on December 25, and the attacker reset accounts linked to the email address and was able to access several channels for a short period. Recent widespread electricity cuts across Istanbul have been attributed to a major cyber-attack, according to sources from the Energy Ministry. The New Hampshire Department of Health and Human Services is notifying 15,000 individuals that their personal information was exposed when a former patient at New Hampshire’s state psychiatric hospital posted information he had previously stolen to a social media website. The Organization for Security and Co-operation in Europe has recently confirmed that it was hit by a major cyber-attack in the first weeks of November when hackers managed to “compromise the confidentiality” of its IT network.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.


Cyber Risk Trends From the Past Week

2017-01-06_riskOrganizations once again are being blackmailed by threat actors who are either threatening to release stolen data or else holding data hostage unless a ransom payment is made.

TheDarkOverlord is continuing its well-established tactic of hacking, extorting and then dumping data on a variety of targets. According to databreaches.net, “TDO appears to have dumped pretty much everything of any significance from two of the previously disclosed victims companies, Pre-Con Products, LTD, and G.S. Polymers, Inc. Other entities whose data TDO dumped include PcWorks, L.L.C. (in Ohio), International Textiles & Apparel, Inc. in Los Angeles, and UniQoptics, L.L.C. in Simi Valley.”

A new extortion campaign is being carried out by an actor using the name “Harak1r1.” The hacker is hijacking insecure MongoDB databases, stealing the data, and replacing the data with a single table and record called “WARNING.” The actor then attempts to extort the victims to recover their data. Researchers said the campaign is ongoing and that between Tuesday and Wednesday the number of compromised databases rose from around 2000 to more than 3500. The actor requests a 0.2 bitcoin ransom payment for victims to regain access to the files, which at least 17 companies have paid. The actor appears to be manually selecting the targets based on databases that appear to contain important data, according to Victor Gevers, co-founder of GDI Foundation.

Interestingly, it appears that a second threat actor may be using the same tactic, but charging 0.5 bitcoin instead, according to a Wednesday tweet addressed to Gevers.


As of Saturday afternoon, the second bitcoin address had 11 bitcoin transactions totaling 3.31 bitcoins, so it is possible that more victims are making ransom payments.

Author: Jeff Peters

SurfWatch Labs editor and host of SurfWatch Labs Cyber Chat podcast. Focused on using threat intelligence and data visualization in order to bring cybercrime to life and help make organizations safer.

3 thoughts on “Weekly Cyber Risk Roundup: Russian Hacking and New Extortion Campaigns”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: